[CLUE-Tech] Auto blocking hosts w/ iptables

[Hani Duwaik]

--- Collins Richey <erichey2 at comcast.net> wrote:
> 
> Have you looked at tenshi? From the advertising blurb, it looks like
> it
> can do much of what you are seeking.
> 
> > http://www.gentoo.org/proj/en/infrastructure/tenshi/index.xml
> 
> 
> -- 
>  /\/\
> ( CR ) Collins Richey
>  \/\/     fly Independence Air - they run Linux
> 

Collins,

Tenshi looks very interesting from a passive monitoring perspective. 
However, I'm looking for something that will allow me to execute
specific code if/when a criteria is met.  

Specifically, if I see a specific attack signature in my apache logs
(ie: the buffer overflow that applies to IIS), I want to immediately
block the IP of that user via iptables.  Also, since I'm using
'firestarter,' I'd need to also modify the firestarter config files to
block the IP in the future.  While I'm aware that this will result in
several false positives, this my personal webserver and only myself and
some friends/family will access it, so I'm not too concerned with
blocking 'innocent' IPs (if someone complains, I can easily unblock
their IPs).

So far, Portsentry looks good from the perspective of opening a dummy
port through my poor-excuse-for-a-firewall (linksys router) and
blocking port scanners.  I might also use Snort for general NIDS (if my
box does get compromised, I might be able to catch any malicious
activities and prevent it from attacking my other systems or being used
as a zombie).

Worst case, I may write a simple Perl script to monitor the apache log
file and execute my code if/when an attack is detected.

Just some thoughts...

-Hani




		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail